Bugtraq mailing list archives
undocumented bugs - nfsd
From: tmogg () ZIGZAG PL (Mariusz Marcinkiewicz)
Date: Tue, 9 Nov 1999 11:39:39 +0100
Hi, this is voice of lam3rZ (.pl) -- Introduction - After reading lcamtuf's posts I decided write this one. Few months ago one of my friends - digit - found bug in linux nfsd daemon. I made example sploit about IV 1999. Now in distributions is new nfsd and nowhere was information about security weaknes of old version! -- Affected - One time more affected distribution is RedHat 5.2 and Debian 2.1, Slackware isn't vulnerable even there is *same* version of nfsd. It's hard to say bug is local or remote, read description please. -- Description - Linux rpc.nfsd has real_path bug. When user has been trying access directory with long path nfsd got SIGSEGV. There was buffer overflow which we can exploit and get root privileges on server machine. I don't remember all of details but I'll try write few words ;) length of path is checked if user is trying make long-path-directory by nfs but isn't checked when he is trying remove it. One way to exploit this bug is creating long-path-dir localy and later rm it by nfs. In some cases bug can be exploited remotely: if attacker has write access to exported directories by ftpd. that's all folks. cya __ Mariusz Marcinkiewicz | phone: +48 601 080 286 | mail: many () rast lodz pdi net System Administrator && Tech Support <tmogg () zigzag pl> http://www.zigzag.pl Security Advisor tmogg () hert org http://www.hert.org [*] http://lam3rz.hack.pl
Current thread:
- Security flaw in Cobalt RaQ2 cgiwrap Chris Adams (Nov 08)
- Irfan view 3.07 buffer overflow UNYUN (Nov 08)
- Re: Security flaw in Cobalt RaQ2 cgiwrap Nathan Neulinger (Nov 08)
- Re: Security flaw in Cobalt RaQ2 cgiwrap Chris Adams (Nov 09)
- undocumented bugs - nfsd Mariusz Marcinkiewicz (Nov 09)
- Re: undocumented bugs - nfsd Olaf Kirch (Nov 10)
- rpc.nfsd exploit code Mariusz Marcinkiewicz (Nov 10)
- Re: rpc.nfsd exploit code Crispin Cowan (Nov 11)
- WU-FTPD Mnemonix (Nov 11)
- Re: WU-FTPD hayward () SLOTHMUD ORG (Nov 12)
- Re: rpc.nfsd exploit code Mariusz Marcinkiewicz (Nov 12)
- Re: rpc.nfsd exploit code Rogier Wolff (Nov 12)
- Re: undocumented bugs - nfsd Olaf Kirch (Nov 10)
- BIND NXT Bug Vulnerability Elias Levy (Nov 10)
- Re: BIND NXT Bug Vulnerability Richard Trott (Nov 10)
- Re: BIND NXT Bug Vulnerability Mike Iglesias (Nov 10)